What causes DF-GEN2-InvalidServicePrincipalCredentialType?

The linked service 'Service Principal Credential Type' is set to 'ServicePrincipalCert' but the app registration in Azure AD uses a client secret (password), not a certificate. The linked service is configured with a client secret but the app registration has only a certificate credential. The credential type was changed in the Azure AD app registration after the ADF linked service was created

How do I fix DF-GEN2-InvalidServicePrincipalCredentialType?

Open the ADLS Gen2 linked service in ADF Studio and check the 'Service Principal Credential Type' setting.. In the Azure portal, go to Azure Active Directory > App Registrations > [your app] > Certificates & Secrets to confirm what type of credential the app uses.. If the app uses a client secret, set the credential type to 'ServicePrincipalKey' in ADF and enter the secret value.. If the app uses a certificate, set the credential type to 'ServicePrincipalCert' and provide the certificate.. Click 'Test connection' after updating to confirm the credential type and value are accepted.

Medium severitydata source

Power BI Refresh Error:
DF-GEN2-InvalidServicePrincipalCredentialType

What does this error mean?

The ADLS Gen2 linked service is configured for service principal authentication, but the credential type is set incorrectly — for example, the service principal expects a client secret but a certificate-based credential type is configured, or vice versa.

Common causes

1The linked service 'Service Principal Credential Type' is set to 'ServicePrincipalCert' but the app registration in Azure AD uses a client secret (password), not a certificate
2The linked service is configured with a client secret but the app registration has only a certificate credential
3The credential type was changed in the Azure AD app registration after the ADF linked service was created

How to fix it

1Open the ADLS Gen2 linked service in ADF Studio and check the 'Service Principal Credential Type' setting.
2In the Azure portal, go to Azure Active Directory > App Registrations > [your app] > Certificates & Secrets to confirm what type of credential the app uses.
3If the app uses a client secret, set the credential type to 'ServicePrincipalKey' in ADF and enter the secret value.
4If the app uses a certificate, set the credential type to 'ServicePrincipalCert' and provide the certificate.
5Click 'Test connection' after updating to confirm the credential type and value are accepted.

Frequently asked questions

What is the difference between ServicePrincipalKey and ServicePrincipalCert?

ServicePrincipalKey uses a client secret for authentication. ServicePrincipalCert uses an uploaded certificate. The choice depends on how the Azure AD app registration is configured.

Where do I find the credential type for an Azure AD app registration?

In the Azure portal, go to Azure AD > App Registrations > [app] > Certificates & Secrets. Entries under 'Certificates' mean cert auth; under 'Client secrets' means key auth.

Can I switch from client secret to certificate authentication without recreating the linked service?

Yes — open the linked service, change the credential type to ServicePrincipalCert, upload the certificate, and update the Key Vault reference if applicable. Test the connection before saving.

Official documentation: https://learn.microsoft.com/en-us/azure/data-factory/data-flow-troubleshoot-guide